require-sarif-upload-security-events-write
Rule catalog ID: R102
Targeted pattern scopeโ
Jobs that use github/codeql-action/upload-sarif.
What this rule reportsโ
This rule reports SARIF upload jobs that do not grant security-events: write.
Why this rule existsโ
Uploading SARIF to GitHub code scanning requires security-events: write. Requiring it explicitly keeps workflow permissions correct and reviewable.
โ Incorrectโ
permissions:
contents: read
โ Correctโ
permissions:
contents: read
security-events: write
Additional examplesโ
This rule applies to any SARIF uploader step using github/codeql-action/upload-sarif, not just CodeQL-native workflows.
ESLint flat config exampleโ
import githubActions from "eslint-plugin-github-actions-2";
export default [githubActions.configs.codeScanning];
When not to use itโ
Disable this rule only if the uploader step is never intended to publish SARIF into GitHub code scanning.